Solved

PIX VPN/XP CLient question.

Posted on 2006-07-03
6
258 Views
Last Modified: 2010-04-12
I have a user who telecommutes from home over VPN.  The problem is - when he's connected to the VPN - he can't browse web pages external to the office network - only internal web sites.  It seems I have had success in the past in VPN Properties/Networking Tab/Internet Protocol (TCP/IP)/Properties button/Advanced Button/check "Use default gateway on remote network".  But this hasn't been a consistent fix...  Any ideas?
0
Comment
Question by:LTWadmin
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 17033992
Which client does he use? PIX supports both Cisco VPN client and the Microsoft PPTP client.
Microsoft client works if you un-check the use default gateway on remote network box, but may break their ability to access internal resources.
Cisco client is totally controlled by the PIX. The network admin would have to enable "split-tunneling" which may or may not be against company policy.
0
 

Author Comment

by:LTWadmin
ID: 17123636
Irmoore -

Thanks.  He's using the the Microsoft PPTP Client in XP Pro.  Is split tunneling a security risk?
0
 
LVL 9

Assisted Solution

by:muff
muff earned 125 total points
ID: 17125961

Split-tunnelling can be a risk because it enables a PC to be connected to untrusted and trusted networks simultaneously.  Untrusted = the internet.

Imagine a piece of malicious software that connected to an attackers site and waited for instructions while the VPN client was connected to the company network.  The user PC could then provide the attacker the same level of access to the company network as the user.

This risk can be mitigated somewhat by ensuring that the users antivirus software is up to date prior to allowing a connection, and limiting what the user can install on their PC.

A more secure alternative that provides the user with access to the web while connected to the company network would be to use a proxy server that is on the company network.  In other words, don't use split-tunnelling at all - web requests would be forwarded to the proxy which would request the web page on the users behalf.

koan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17126380
Yes, split tunneling is a "HUGE" risk.
Problem with using Microsoft client is that the USER is in full control with one little tick of the box []Use default gateway on remote network. Un-tick it and split-tunneling is enabled.
Cisco VPN client is 100% controlled by the ADMIN
One of the best solutions is to setup a web proxy at HQ, force use of Cisco VPN client and force users to go through the proxy.
The reason that it is not consistent is because of the classful nature of PPTP. It all depends on the class of the IP address assigned to the client and to the remote lan.. I can explain that further if necessary, but it's a lesson in classful IP networks....
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now